RE: Neural Net based Host/Application Anomaly detection systems

From: Bob Walder (
Date: 02/19/02

From: "Bob Walder" <>
To: "'Scott Nursten'" <>, "'husmousa'" <>, <>
Date: Tue, 19 Feb 2002 08:45:08 -0000


However, whilst I don't want to piss on anyone's bonfire here (US
trans="rain on anyone's parade" ;o) is that not similar - or at least part
of - what the likes of Okena and Entercept do (I know Okena does LOTS
more...)? Any key differences/similarities you would like to share?

Of course, even if it is the same functionality, an open source version
would be more than welcome.... more power to ya.



-----Original Message-----
From: Scott Nursten []
Sent: 18 February 2002 18:57
To: husmousa;
Subject: Re: Neural Net based Host/Application Anomaly detection systems

Working on security systems always involves using multi-layered approaches.
I can see this becoming a widely accepted product if it delivers what is
promised. I can also see it helping in certain non-invasive attempts to
exploit/overflow server-side code (ie. when a script kiddie does a

GET /index.jsp?blah=aaaaaaaaaaaaaaaa x (50000)
) that might not trigger a standard NIDS signature but seems likely to
show up on your system. It also helps to have some feedback AFTER the
application has done the necessary translations (ie. Unicode etc) but I'm
not sure whether or not your product does that.

All in all, I'd say it's a good idea...! Where do we get the beta (alpha?)?


Scott Nursten

On 17/2/02 7:41 pm, "husmousa" <> wrote:

> Hi All,
> as part of a 1 year graduation project we ( a team of 4 CSCI graduates)
> developed an application based anomaly detection system. By application
> I mean we focused on securing certain applications (in our case Apache and
> ftp). The reason we choose this approach was due to the analysis mode we
> Our analysis engine was based on a neural network which simply tries to
> "categorize" access requests in clusters. These clusters have been
> trained using lots and lots of log entries that have been grouped into
> categories (for example, normal, buffer overflow, cgi abuse, ... ).
> So far nothing new. the promise of this system though is that it has
> to detect previously unseen attacks. In fact in our limited lab tests we
> isolated some logs and used them later to test our system (without being
> previously used in training). This can approximately mimic the real world
> of new and modified attacks being used against IDS systems that can only
> detect known threats. Our initial results were impressive.
> Of course our system will never ever ever replace traditional
> based IDS systems (such as snort, realsecure, etc...) but it can
> add a good 10-20% of coverage power specifically against brand new
> I was deliberating on our next step. I wasn't so sure about how widely
> such a product be accepted if offered as an open source standalone (or
> possibly as a plugin to SNORT).
> we still need to do some work on "commercializing" it basicly doing some
> training and resolving some performance issues.
> I hope I can generate alot of feedback, thoughts, ideas, advice, ten
> two cents about this project
> thanks